CDOE | Certified Defense Operations Expert
Prove you can investigate real intrusions, interpret noisy alerts and logs, reconstruct attacker activity, and deliver clear incident reports that help leadership make fast decisions.
What CDOE Proves
CDOE is a hands-on blue team certification for defenders who want to move beyond multiple-choice theory and into real incident investigation and response.
You will be expected to:
- Work with SIEM-style alerts, logs, and forensic artifacts from a compromised environment.
- Reconstruct attacker paths from initial access to impact.
- Identify gaps in detection, logging, and response.
- Write clear, actionable incident reports for both technical teams and leadership.
If you want to work as a SOC analyst, DFIR responder, or threat hunter, CDOE is built to reflect that day-to-day reality.
Fast Facts
Core Topics & Curriculum
CDOE training takes you from foundational SOC workflows into full incident reconstruction and reporting.
- Understanding attacker TTPs and common kill-chain patterns.
- Working with SIEM alerts, log sources, and correlation rules.
- Endpoint and network telemetry: what to collect and where to look.
- Building timelines of attacker activity across hosts and systems.
- Hands-on malware / artifact triage (at a defender-focused depth).
- Containment and remediation recommendations that security teams can act on.
- Writing clean, concise incident reports for executives and technical teams.
The goal is not just “spot the IOC” — it’s learning how to tell the full story of an incident from the defender’s point of view.
Lab Environment
The CDOE labs and exam simulate an environment where an attacker has already done damage — your job is to figure out what happened and how bad it is.
- Pre-generated log data from multiple sources (Windows, Linux, web, security tools).
- Alert sets that contain both noise and signal, forcing prioritization.
- File and artifact samples for basic triage and pivoting.
- Documentation and context similar to what a SOC analyst or responder would receive.
You’re graded on how well you reconstruct the incident and communicate your findings — just like a real investigation.
Exam Snapshot
The CDOE exam is a 7-day remote practical investigation. You’ll be given access to logs, artifacts, and limited environment context from a simulated compromise.
- Review alerts and identify which ones matter.
- Correlate activity across systems and log sources.
- Determine initial access, lateral movement, and impact.
- Document evidence and conclusions in an incident report.
Full details are available on the Exam Structure & Requirements page.
How to Prepare & Prerequisites
CDOE is designed to be accessible to defenders early in their career, while still challenging experienced analysts.
- Basic understanding of how logs work (Windows events, syslog, access logs).
- Familiarity with common security terms: alerts, incidents, IOCs, TTPs.
- Comfort reading through text-heavy data and picking out patterns.
- Interest in telling the story of an attack, not just listing artifacts.
For a step-by-step prep roadmap and exam-week mindset, use the dedicated How To Prepare page.
What You’ll Walk Away With
Passing CDOE demonstrates that you can handle real-world detection and response work under pressure.
- A digital CDOE certificate and verification details for employers.
- Experience working through a full incident from intake to final report.
- A stronger personal methodology for log analysis and investigation.
- Confidence that you can contribute meaningfully in a SOC or IR team.